Financial services firms bear the burden of complying with numerous regulations. However, as compliance guru Richard E. Mackey explains, a consistent compliance program that adheres to basic principles can ease the compliance process.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

stores, transmits or processes payment card data.

While each regulation requires certain information be protected, fortunately the security principles and controls they rely on are remarkably consistent. A well-structured security and compliance program can capitalize on this consistency and save an organization from unnecessary complexity and overwhelming cost.

While each regulation has its peculiarities, all regulations require organizations to have a structure in place that addresses the following topics:

Policy and governance

Information classification

Risk assessment and management

Identify management and access control

Service provider oversight

Monitoring

Training and awareness

Incident response

Business continuity

Understand the requirements The first step of any compliance process is to understand the requirements involved, including the intent of the regulations, type of information that needs to be protected and risks affecting that information. HIPAA, PCI DSS, and GLBA all clearly specify the information that needs to be safeguarded. The Sarbanes-Oxley Act (SOX), on the other hand, leaves much open to interpretation -- even with guidance from the Public Company Accounting Oversight Board (PCAOB), which offers guidance to corporate auditors.

Understanding the risks to information in the context of your business is another matter. No standard document can do this for you. To that end, let's look at two examples of how a common approach to addressing requirements that span regulations can ensure more consistent controls and economies of process and technology.

Common requirement: Risk assessment and management All regulations require organizations to have a risk assessment and management process in place. The PCI DSS notes risks and threats in Requirement 12. Maintain an Information Security Policy. Requirement 12.1.2 specifies that organizations have an annual process that identifies threats and vulnerabilities, and which results in a formal risk assessment. This same section further requires risks and policies to be reviewed throughout the year.

Identify all systems and applications that deal with electronic protected health information (EPHI)

Accurately and thoroughly assess risks to the confidentiality, integrity, or availability of EPHI

Assess adequacy of current controls

Implement a risk management program

While the directive to conduct formal risk assessments is clear, financial organizations trying to comply are hard pressed to understand how to conduct formal risk assessments or implement a risk management program.

Financial organizations that use frameworks like ISO 27002 or COBIT to organize their security and compliance efforts will recognize the same requirements in those standards. Fortunately, the frameworks provide better guidance in implementing risk assessment and emphasize the importance of risk assessment and management in establishing and meeting overall security goals. It can also be helpful to look to a risk management framework like OCTAVE from Carnegie Mellon University as a model to meet the requirements of ISO 27002 and regulations like PCI DSS and HIPAA.

Common requirement: Identity management and access control One of the guiding principles of all security, and certainly all regulations, is that you must know who has access to what information and what the justification is for that access.

A request and approval workflow that is auditable and involves information owners and supervisors

Access granted based on a business "need to know"

Adequate strength authentication for a given environment and system

Prompt changes to privileges and access resulting from job changes

Regular review and certification of access

Unique IDs for each user

Monitoring of user activity

While the details described in each regulation differ, the basic principles are the same and correspond quite closely to the approach described in the common security frameworks.

The lesson here, as it is above, is that a common approach can help a financial organization become compliant with multiple regulations. The alternative of specific models and mechanisms applied in different compliance domains will not only complicate matters unnecessarily, but it will also be more costly and prone to error.

Compliance programs can address requirements from multiple regulations Each passing year seems to bring with it additional regulatory requirements. However, most requirements can be met more easily by organizations with good security fundamentals. Recognizing this, financial organizations should structure their security and compliance programs to capitalize on common regulatory requirements approaches. By instituting critical processes like risk management, policy management and training, financial organizations can more easily position themselves to deal with new regulations. Good processes also allow financial organizations to take advantage of tools like identity management, vulnerability management and change control to address compliance requirements across the board.

About the author:Richard E. "Dick" Mackey is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA, and SOX. He has also provided guidance to a wide range of companies on enterprise security architecture, identity and access management, and security policy and governance.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy